ozg-3322 use namespace truststore

d30eaf57 · OZGCloud · 50e659e0 · d30eaf57 · d30eaf57 · d30eaf57
Commit d30eaf57 authored 1 year ago by OZGCloud
--- a/src/main/helm/templates/_helpers.tpl
+++ b/src/main/helm/templates/_helpers.tpl
@@ -146,3 +146,11 @@ app.kubernetes.io/namespace: {{ include "app.namespace" . }}
 {{- define "app.serviceAccountName" -}}
 {{ printf "%s" ( (.Values.serviceAccount).name | default "user-manager-service-account" ) }}
 {{- end -}}
+{{- define "app.truststoreSecretName" -}}
+{{- if .Values.optionalTrustStoreSecretName -}}
+{{ .Values.optionalTrustStoreSecretName }}
+{{- else -}}
+{{ printf "%s-truststore" .Release.Namespace }}
+{{- end -}}
+{{- end -}}
\ No newline at end of file
--- a/src/main/helm/templates/deployment.yaml
+++ b/src/main/helm/templates/deployment.yaml
@@ -116,16 +116,16 @@ spec:
        {{- with (.Values.env).customList }}
 {{ toYaml . | indent 8 }}
        {{- end }}
-        {{- if .Values.optionalTrustStoreSecretName }}
+        {{- if not .Values.disableNamespaceTruststore }}
-        - name: TRUST_STORE_PASSWORD
+        - name: TRUSTSTORE_PASSWORD
          valueFrom:
            secretKeyRef:
-              name: {{ .Values.optionalTrustStoreSecretName }}
+              name: {{ include "app.truststoreSecretName" . }}
              key: password
              optional: false
        args:
-          - '-Djavax.net.ssl.trustStore=/optional-trust-store/truststore.jks'
+          - '-Djavax.net.ssl.trustStore=/namespace-truststore/truststore.jks'
-          - '-Djavax.net.ssl.trustStorePassword=$(TRUST_STORE_PASSWORD)'
+          - '-Djavax.net.ssl.trustStorePassword=$(TRUSTSTORE_PASSWORD)'
        {{- end }}
        image: "{{ .Values.image.repo }}/{{ .Values.image.name }}:{{ coalesce (.Values.image).tag "latest" }}"
        imagePullPolicy: Always
@@ -191,7 +191,6 @@ spec:
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        tty: true
-        {{- if or (not .Values.disableGrpcServerTls) .Values.optionalTrustStoreSecretName }}
        volumeMounts:
          {{- if not .Values.disableGrpcServerTls }}
          - name: user-manager-tls-certificate
@@ -203,25 +202,21 @@ spec:
            subPath: tls.key
            readOnly: true
          {{- end }}
-          {{- if .Values.optionalTrustStoreSecretName }}
+          {{- if not .Values.disableNamespaceTruststore }}
-          - name: optional-trust-store
+          - name: namespace-truststore
-            mountPath: "/optional-trust-store/truststore.jks"
+            mountPath: "/namespace-truststore"
-            subPath: truststore.jks
            readOnly: true
          {{- end }}
-        {{- end }}
-      {{- if or (not .Values.disableGrpcServerTls) .Values.optionalTrustStoreSecretName }}
      volumes:
        {{- if not .Values.disableGrpcServerTls }}
         - name: user-manager-tls-certificate
           secret:
              secretName: user-manager-tls-cert
        {{- end }}
-        {{- if .Values.optionalTrustStoreSecretName }}
+        {{- if not .Values.disableNamespaceTruststore }}
-         - name: optional-trust-store
+         - name: namespace-truststore
           secret:
-              secretName: {{ .Values.optionalTrustStoreSecretName }}
+              secretName: {{ include "app.truststoreSecretName" . }}
-        {{- end }}
        {{- end }}
      dnsConfig: {}
      dnsPolicy: ClusterFirst

--- a/src/test/helm/deployment_optional_trust_store_test.yaml
+++ b/src/test/helm/deployment_optional_trust_store_test.yaml
@@ -22,66 +22,98 @@
 # unter der Lizenz sind dem Lizenztext zu entnehmen.
 #
-suite: test environments
+suite: test namespace truststore
 templates:
  - templates/deployment.yaml
+release:
+  name: user-manager
+  namespace: by-helm-test
 set:
  ozgcloud:
    bundesland: by
    bezeichner: helm
-    environment: dev
+    environment: test
  sso:
    serverUrl: sso.test.sh.ozg-cloud.de
  baseUrl: test.sh.ozg-cloud.de
 tests:
  - it: check without truststore
+    set:
+      disableNamespaceTruststore: true
    asserts:
      - notExists:
          path: spec.template.spec.containers[0].args
      - notContains:
          path: spec.template.spec.containers[0].env
          content:
-            name: TRUST_STORE_PASSWORD
+            name: TRUSTSTORE_PASSWORD
      - notContains:
          path: spec.template.spec.containers[0].volumeMounts
          content:
-            name: optional-trust-store
+            name: namespace-truststore
-            mountPath: "/optional-trust-store/truststore.jks"
+          any: true
-            subPath: truststore.jks
-            readOnly: true
      - notContains:
          path: spec.template.spec.volumes
          content:
-            name: optional-trust-store
+            name: namespace-truststore
+          any: true
+  - it: check with default namespace truststore
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].args
+          value: 
+          - '-Djavax.net.ssl.trustStore=/namespace-truststore/truststore.jks' 
+          - '-Djavax.net.ssl.trustStorePassword=$(TRUSTSTORE_PASSWORD)'
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: TRUSTSTORE_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: by-helm-test-truststore
+                key: password
+                optional: false
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: namespace-truststore
+            mountPath: "/namespace-truststore"
+            readOnly: true
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: namespace-truststore
+            secret:
+              secretName: by-helm-test-truststore
-  - it: check with truststore
+  - it: check with optional truststore
    set:
-      optionalTrustStoreSecretName: optional-trust-store-secret
+      optionalTrustStoreSecretName: optional-truststore-secret
    asserts:
      - equal:
          path: spec.template.spec.containers[0].args
          value: 
-          - '-Djavax.net.ssl.trustStore=/optional-trust-store/truststore.jks' 
+          - '-Djavax.net.ssl.trustStore=/namespace-truststore/truststore.jks' 
-          - '-Djavax.net.ssl.trustStorePassword=$(TRUST_STORE_PASSWORD)'
+          - '-Djavax.net.ssl.trustStorePassword=$(TRUSTSTORE_PASSWORD)'
      - contains:
          path: spec.template.spec.containers[0].env
          content:
-            name: TRUST_STORE_PASSWORD
+            name: TRUSTSTORE_PASSWORD
            valueFrom:
              secretKeyRef:
-                name: optional-trust-store-secret
+                name: optional-truststore-secret
                key: password
                optional: false
      - contains:
          path: spec.template.spec.containers[0].volumeMounts
          content:
-            name: optional-trust-store
+            name: namespace-truststore
-            mountPath: "/optional-trust-store/truststore.jks"
+            mountPath: "/namespace-truststore"
-            subPath: truststore.jks
            readOnly: true
      - contains:
          path: spec.template.spec.volumes
          content:
-            name: optional-trust-store
+            name: namespace-truststore
            secret:
-              secretName: optional-trust-store-secret
+              secretName: optional-truststore-secret
\ No newline at end of file
--- a/src/test/helm/deplyoment_cert_bindings_test.yaml
+++ b/src/test/helm/deplyoment_cert_bindings_test.yaml
@@ -81,13 +81,6 @@ tests:
            name: user-manager-tls-certificate
          any: true
-  - it: should not have volume mounts
-    set:
-      disableGrpcServerTls: true
-    asserts:
-      - notExists:
-          path: spec.template.spec.containers[0].volumeMounts
  - it: should not have volume for user-manager root certificate
    set:
      disableGrpcServerTls: true
@@ -96,10 +89,3 @@ tests:
      - notContains:
          path: spec.template.spec.volumes
        any: true
-  - it: should not have volume
-    set:
-      disableGrpcServerTls: true
-    asserts:
-      - notExists:
-          path: spec.template.spec.volumes